COMMAND

    rexecd

SYSTEMS AFFECTED

    HP9000 S700/800 10.X trusted systems

PROBLEM

    Kevin K. Sochacki posted following about a bug in rexecd on system
    running HPUX 10.x that have been converted to trusted systems.  On
    unsuccessful login attempts via rexec/rexecd the bad login counter
    (u_numunsuclog) is updated as it should, however on any successful
    login the bad  login counter does  not get cleared.   So if  users
    inadvertently  miss   type  their   password  even   once  between
    successful logins they  will eventually be  locked out.   Lockouts
    should only occur when consecutive unsuccessful logins exceed  the
    allowed bad logins.

SOLUTION

    This problem  _has_ been  "fully" addressed  in patch  PHNE_12161.
    Note that this patch only fixed a problem of not updating the  bad
    login counter.  This _does_  fix the  vulnerability issue, however
    on  successful  log  ins  the  bad  login  counter  _does_not_ get
    cleared, therefor locking the users  out no matter how many  times
    they login successfully between unsuccessful attempts.